degesch: fix certificate verification

Also print some certificate information while connecting.

1 files changed, 30 insertions, 2 deletions

diff --git a/degesch.c b/degesch.c
index 2cd31ff..9eb1882 100644
--- a/degesch.c
+++ b/degesch.c
@@ -3842,12 +3842,40 @@ struct transport_tls_data
 	bool ssl_tx_want_rx;                ///< SSL_write() wants to read
 };
 
+/// The index in SSL_CTX user data for a reference to the server
+static int g_transport_tls_data_index = -1;
+
+static int
+transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
+{
+	SSL *ssl = X509_STORE_CTX_get_ex_data
+		(ctx, SSL_get_ex_data_X509_STORE_CTX_idx ());
+	struct server *s = SSL_CTX_get_ex_data
+		(SSL_get_SSL_CTX (ssl), g_transport_tls_data_index);
+
+	X509 *cert = X509_STORE_CTX_get_current_cert (ctx);
+	char *subject = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0);
+	char *issuer  = X509_NAME_oneline (X509_get_issuer_name  (cert), NULL, 0);
+
+	log_server_status (s, s->buffer, "Certificate subject: #s", subject);
+	log_server_status (s, s->buffer, "Certificate issuer: #s", issuer);
+
+	free (subject);
+	free (issuer);
+	return preverify_ok;
+}
+
 static bool
 transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
 {
 	bool verify = get_config_boolean (s->config, "ssl_verify");
-	if (!verify)
-		SSL_CTX_set_verify (ssl_ctx, SSL_VERIFY_NONE, NULL);
+	SSL_CTX_set_verify (ssl_ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
+		transport_tls_verify_callback);
+
+	if (g_transport_tls_data_index == -1)
+		g_transport_tls_data_index =
+			SSL_CTX_get_ex_new_index (0, "server", NULL, NULL, NULL);
+	SSL_CTX_set_ex_data (ssl_ctx, g_transport_tls_data_index, s);
 
 	// TODO: allow specifying SSL_CTX_set_cipher_list()
 	SSL_CTX_set_mode (ssl_ctx,